MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1f80be7f5556f97ce097e588b184ac44c66b72b05a96d833929818774bbaaaa2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1f80be7f5556f97ce097e588b184ac44c66b72b05a96d833929818774bbaaaa2
SHA3-384 hash: 13c6350a1cb4c14319dfb1b85c4987871f2642436e29885b94fd617a3e930fc2afab69a2c8468d4c72e7d31c5387ca8a
SHA1 hash: 3d7fa9edd340029d925bc78bd9682247539a22d0
MD5 hash: 7332546153d54127aec74614216c91e3
humanhash: table-sink-fix-nineteen
File name:1F80BE7F5556F97CE097E588B184AC44C66B72B05A96D.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:1'920'224 bytes
First seen:2022-01-19 19:07:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 15aeac4aa1d11f9ad3fc4c4ac7bb9468 (58 x RedLineStealer, 5 x RaccoonStealer, 3 x CoinMiner)
ssdeep 24576:LhYmnp1YpDseQOqM9T9xC8cMKABnxaLf9BW1rkTzIPCoWh/8o6kEaHNYK386Y3YY:LSmnpCpQsFTcMKmxaUQYwT6Nam6Y3YY
Threatray 1'145 similar samples on MalwareBazaar
TLSH T1FB9533236485516AD8071E7095A3C424222B38AFC7D83D5BE9691F03EF99C6234FB6F9
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://138.68.162.128/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://138.68.162.128/ https://threatfox.abuse.ch/ioc/302456/

Intelligence

File Origin
# of uploads :
1
# of downloads :
232
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1F80BE7F5556F97CE097E588B184AC44C66B72B05A96D.exe
Verdict:
No threats detected
Analysis date:
2022-01-20 02:23:35 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7f156701-6429-46c2-9db1-d5f5d5e85e3e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/220780/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Сreating synchronization primitives
Launching the default Windows debugger (dwwin.exe)
DNS request
Searching for the window
Sending a custom TCP request
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed racealer
Link:
https://www.filescan.io/uploads/61e861640f8c757253cd7828/reports/b37931eb-4f7d-4804-8cd2-a007a2d61cb3/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5394f82f-be09-4fc8-8a25-5815b3e8c3b7
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/923796
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to steal Internet Explorer form passwords
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION
Writes to foreign memory regions
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1f80be7f5556f97ce097e588b184ac44c66b72b05a96d833929818774bbaaaa2/
Threat name:
Win32.Infostealer.Racealer
Create hunting rule
Status:
Malicious
First seen:
2021-12-14 22:45:07 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
34 of 43 (79.07%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=d6al472vk34xzyex4weldbfmitdgw4vqlklnqm4stamhos52vkra._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
0c306b9f25c5a6291565e1a590282afc84a96e88fb630706bf14204451d7ca2a
RaccoonStealer
0d46eeee299f7d4e4555a477e6a699bb166d5ea4a1344820eceb321e900ee68a
RaccoonStealer
1cfa7d9edcfe5a277e5c7f20e702a6b2cfd652e6f812b8203f5ed8fa9070994d
RaccoonStealer
932fda59abbce6378d0637c359b61b0747c9602e2e87d3105bb49ad745ed382e
RaccoonStealer
a155f3d9a75271823b77574f7d694db31ced6555cb6970c2b224f3ff5b0c80e7
RaccoonStealer
ba1d27e1521b29f5fabc05094b177131f356588ce26b2e5336910df2bd1cc919
RaccoonStealer
+ 1'135 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:2922d902e9eb67ebb6274a1340edac630d6fcd60 evasion stealer trojan
Link:
https://tria.ge/reports/220119-xsnxqacee7/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Checks BIOS information in registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Raccoon
Unpacked files
SH256 hash:
d56fa00d7e8ce7eb95cc53b822c4978f84ef99db150203716d426eb700504347
MD5 hash:
8bc6c3253b9967700a7314383598af26
SHA1 hash:
181e3b45a355aa1aa8b9442d6e5f5fcbac9bb073
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/fb84d2ec-3550-423a-b7a4-61c175c505a5/
SH256 hash:
1f80be7f5556f97ce097e588b184ac44c66b72b05a96d833929818774bbaaaa2
MD5 hash:
7332546153d54127aec74614216c91e3
SHA1 hash:
3d7fa9edd340029d925bc78bd9682247539a22d0
Link:
https://www.unpac.me/results/fb84d2ec-3550-423a-b7a4-61c175c505a5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.08
Link:
https://yomi.yoroi.company/submissions/1f80be7f5556f97ce097e588b184ac44c66b72b05a96d833929818774bbaaaa2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/220780/

Comments